1 ------------------------------------------------------------
3 revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
4 parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
5 author: Nathan Hoad <nathan@getoffmalawn.com>
6 committer: Amos Jeffries <squid3@treenet.co.nz>
8 timestamp: Wed 2013-07-10 06:47:48 -0600
10 Protect against buffer overrun in DNS query generation
14 This bug has been present as long as the internal DNS component however
15 most code reaching this point is passing through URL validation first.
16 With Squid-3.2 Host header verification using DNS directly we may have
18 ------------------------------------------------------------
19 # Bazaar merge directive format 2 (Bazaar 0.90)
20 # revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
21 # target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
23 # testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
24 # timestamp: 2013-07-10 12:48:57 +0000
25 # source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
27 # base_revision_id: squid3@treenet.co.nz-20130222111325-\
31 === modified file 'src/dns_internal.cc'
32 --- src/dns_internal.cc 2011-10-11 02:12:56 +0000
33 +++ src/dns_internal.cc 2013-07-10 12:47:48 +0000
34 @@ -1532,22 +1532,26 @@
36 idnsALookup(const char *name, IDNSCB * callback, void *data)
39 + size_t nameLength = strlen(name);
41 + // Prevent buffer overflow on q->name
42 + if (nameLength > NS_MAXDNAME) {
43 + debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
44 + callback(data, NULL, 0, "Internal error");
48 + if (idnsCachedLookup(name, callback, data))
51 + idns_query *q = cbdataAlloc(idns_query);
52 + q->id = idnsQueryID();
56 - if (idnsCachedLookup(name, callback, data))
59 - q = cbdataAlloc(idns_query);
61 - q->id = idnsQueryID();
63 - for (i = 0; i < strlen(name); i++)
64 + for (unsigned int i = 0; i < nameLength; ++i)
68 - if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
69 + if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {